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1. Purpose 


Ulundi Municipality has a dependency on IT to enable its business processes. Due to the 
critical nature of IT, and the intellectual and other information resources that are exposed 
through technology channels, IT governance now represents an essential component in 
ensuring the efficient and secure operation of the business. 

Chapter 5 of King III provides that directors, in exercising their duty of care, should ensure that 
prudent and reasonable steps have been taken with respect to IT Governance. Chapter 5 
sets out the following 7 principles: 

• The Council should be responsible for information technology (IT) governance; 

• IT should be aligned with the performance and sustainability objectives of the 
company; 

• The Council should delegate to management the responsibility for the implementation 
of an IT governance framework; 

• The Council should monitor and evaluate significant IT investments and expenditure; 

• IT should form an integral part of the municipality’s risk management; 

• The Council should ensure that information assets are managed effectively; and 

• A risk committee and audit committee should assist the Council in carrying out its IT 
responsibilities. 

Within Principle 5.7.2, King III recommends that Ulundi Municipality’s Council (“the Council”) 
establish an IT Charter. This IT Charter should outline the decision-making rights and 
accountability framework for IT governance that will enable the desirable culture in the use of 
IT within the company. This document will serve as the IT Charter for Ulundi Municipality. 

In addition, King III allows the Council to delegate to management or to other Council 
committees the responsibility for the implementation and monitoring of IT governance. This 
IT Charter document clarifies delegated responsibilities. 
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The relationship between the IT Charter and other Council Charters are shown below: 


* 


*■ 


Ulundi Municipality 
Council Charter 


Ulundi Municipality Audit 
and Risk Committee 
Charter 


Ulundi Municipality IT 
Charter 


2. Desirable Culture in the Use of IT 

The Council defines the desirable culture in the use of IT hereunder. The decision making 
rights and accountability framework defined in the remainder of the document is designed to 
achieve these 10 objectives. 

i) The activities and functions of the IT strategy are aligned to the business strategy. 
Opportunities to improve the use of IT within Ulundi Municipality are identified and 
exploited. 

ii) The optimal investment is made in IT, costs are managed, and the return on 
investment is measured. 

iii) Synergies between IT initiatives are enabled and IT choices are in the best interest 
of the organisation as a whole, and not only, those of individual business units. 

iv) IT services are sourced optimally and legitimately. 

v) IT risks are identified and adequately addressed. Assurance is obtained to ensure 
that an IT control framework is in place to address IT risks. 

vi) Information, IT assets and intellectual property contained in IT systems are 
protected and effectively managed and used. 

vii) IT has adequate business resilience arrangements in place for disaster recovery. 

viii) Information Management is a joint IT and business responsibility. 

ix) IT use conforms to IT related laws and related rules, codes and standards are 
considered. 

x) IT use is sustainable with respect to the environment. 
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3. Decision Making Rights and Accountability - Centralised IT 


Note: Currently Ulundi Municipality has an IT manager that reports into Chief Finance 
Services, who is a member of Exco. IT currently has no direct representation on Exco. 

The Chief Financial Officer has responsibility to establish an IT department for Ulundi 
Municipality. Some of the duties that should be included in the role of the CFO are as follows: 

• Computing and information technology strategic plans; 

• Policies & procedures; 

• Prioritising projects; 

• Ensuring adequate financial planning is done for information technology related 
procurement; 

• Network communications; and 

• Management information services to accomplish corporate goals and objectives. 
Reporting of IT into EXCO 

As IT is expected to play a strategic role in the organisation, IT will be a standing item on 
EXCO's agenda. The IT manager will report to EXCO on strategic IT initiatives, the 
extent to which projects from the IT strategy are being implemented and in general how 
technology opportunities are being exploited within the organisation. 

The Council identifies with the following 10 decision making domains for IT which needs 
to be considered: 

• Strategy 

• Governance (framework and implementation) 

• Investment and prioritisation 

• User Management 

• Infrastructure 

• Applications 

• IT Internal Administration 

• Information 

• Security 

• IT budget 


The Council grants decision making rights within the centralised IT department by using the 
following RACI Chart. 
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IT Decision 

Category 

Formal decision making bodies - other than 
the IT Management Committee, which is 
transversal across all decisions 

Responsibility 

Audit & 

Risk 

EXCO 

Business 

Managers 

IT Manager 

Strategy 


I 

c 

C 

R 

Governance 

Audit and Risk Committee 

I 

A/R 

I 

R 

Investment and 
prioritisation 


I 

C 

A/R 

R 

User management 



c 

C 

R 

Infrastructure 


I 


C 

R 

Applications 


I 

I 

A 

R 

IT internal admin 



I 


R 

Information 



I 


R 

Security 

Audit and Risk Committee 

I 

I 

C 

R 

IT Budget 



I 

C 

R 


A RACI Model is a tool used for identifying roles and responsibilities depicted in the above 
chart 


R 

Responsible 

Owns the problem/project 

A 

Accountable 

Who sign off work before it is effective 

C 

Consulted 

Has information and/or capability necessary to complete the work 

1 

Informed 

Must be notified of results, but need not be consulted 


4. IT Steering Committee 

An IT Steering Committee will be established to take decisions around IT Strategy and IT 
Governance Risk and Compliance, whilst carrying out the following responsibilities: 

• Ensure the implementation of the IT Charter, including the defined IT governance 
structures. 

• Maintain the IT Charter. 

• Receive and act upon direction from the Risk Committee relating to IT governance. 
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• Ensure that an IT internal control framework is implemented. 

• Ensure that IT principles, policies, procedures and standards are defined and 
implemented. 

• Approval of IT principles, policies, procedures and standards. 

• Ensure the promotion of an ethical IT governance culture and awareness of a common 
IT language. 

• Ensure that the company has adequate business resilience arrangements in place for 
IT disaster recovery. 

• Ensure that appropriate processes are followed for the identification, assessment and 
management of IT risks as part of the enterprise wide risk management framework. 

• Ensure compliance with relevant IT laws and related rules, codes and standards. 

• Ensure that a process is established for legal review of IT contracts. 

• Ensure that IT financial governance (e.g. sign-off levels, budget principles such as 
depreciation rules) is adhered to within IT. 

• Ensure the corporate sustainability strategy is supported by IT strategies. 

• Obtain assurance on the IT governance and controls supporting significant outsourced 

IT services. 

• Receive and act upon independent IT audit reports. 

• Provide risk reporting to the Group Risk Forum meetings. 

• Provide a Council report on IT to the Risk Committee to assure the Council that their 
responsibilities relating to King III have been implemented in terms of the following: 

o Value derived from IT, measured against IT performance criteria; 
o IT risks; 

o IT security and continuity, including data privacy; 
o IT projects; 

o IT cost and major investments; 
o IT strategy and progress on IT strategy plan; and 
o IT governance and control. 
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• Ensure that a process is in place to identify and position strategic IT initiatives and 
services which will best contribute to the achievement of the business objectives and 
are agile and adaptive enough to support changes in the business strategy. 

• Resolve conflicting business priorities. 

• Ensure that an IT strategy is prepared. 

• Ensure that business units understand the importance of common IT standards and 
implications of non-compliance. 

• Ensure implementation of the IT strategy and monitoring of outcomes. 

• Monitoring IT performance and dealing with performance issues. 

• Overseeing the IT implementation of the IT Governance framework, knowledge and 
information management and strategic sourcing. 

• In addition to the above, review and approve major decisions relating to General IT 
Management. These include IT human resources, IT financial management and 
marketing of IT services to the business (business relationship management). 

• Submit the minutes of meetings, or summaries thereof, to the Corporate Risk 
Committee immediately following the meeting. 

• Prioritise and approve IT investment requests (IT projects) within the delegated 
approval framework, ensuring the right balance between initiatives that run the current 
business, grow the existing business, and have the potential to transform the business. 
The committee will be aided in this regard by the IT Projects Committee. 


Membership: 

• Municipal Manager; 

• Chief Financial Officer; 

• Manager ICT; 

• Information Security Officer; 

• Directors (invitation basis) 

• Business Unit managers (invitation basis) 

• Divisional Managers (invitation basis) 

Meetings: 

• The Committee will meet at least four times a year, with more frequent meetings, as 
circumstances require. 

• The quorum for decisions is at least 50% of the permanent members. 
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5. Council and EXCO Responsibilities 


The Council/EXCO retains the following responsibilities for IT governance. 

5.1. Ulundi Municipality Executive Committee 

The Committee will carry out the following responsibilities: 

• Direct and control IT through the establishment of an IT governance framework, 
embedded in this IT Charter. 

• Receive and act upon the Council report on IT developed by the IT Steering 
Committee to assure the Council that their responsibilities relating to King III have 
sufficiently been implemented. 

• Submit the Council report on IT, or summaries thereof, to the Council. 

• Obtain appropriate assurance that controls are in place and effective in addressing 
IT risk. 

• Ensure that IT risks are identified, assessed and mitigated through an IT control 
framework. 

• Consider IT as it relates to financial reporting and the going concern of the company. 

• Consider the use of technology to improve audit coverage and efficiency. 

5.2. Ulundi Municipality Council 

Council will retain accountability for IT governance. The Council will carry out the following 

responsibilities: 

• Understand the strategic importance of IT, assume responsibility for the governance 
of IT and place it on the Council agenda. 

• Receive and act upon Council level IT reporting received from the Executive 
Committee 

• Satisfy itself that its responsibilities relating to King III have sufficiently been 
implemented. 
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6. IT Standards 


6.1. CobiT 

Principle 5.1.3 of the King III Report on Governance recommends that an IT internal control 
framework be adopted and implemented. 

CobiT is an internationally recognised IT control framework which is published by the 
Information Systems Audit and Control Association (ISACA). ISACA asserts that it is a non¬ 
profit professional association with more than 47,000 members in more than 140 countries. 

The Council endorses CobiT as its principle IT internal control framework. Its endorsement of 
CobiT will be evidenced by performing maturity assessments of CobiT processes that are 
most relevant to the business and maturating the processes over time. 

6.2. ISO 27000 

Principle 5.6.3 of the King III Report on Governance recommends that an Information Security 
Management System (ISMS) be developed and implemented. The ISO 27000 series is 
currently the most recognised Information Security standard. The series include an ISMS 
specification (ISO 27001) as well as relevant security best practices (ISO 27002). 

The Council endorses ISO 27000 as the ISMS standard to achieve King III Report on 
Governance compliance. Its endorsement of ISO 27000 will be evidenced by selecting 
relevant practices from the ISO 27000 series through a risk-based approach, and embedding 
them into its IT policy framework for approval and implementation over time. 

7. Approvals 


The table below provides necessary approvals of this strategy. 


Approver 

Signature 

Date 

Chairman of the Council 



Chairman of the Audit and Risk 

Committee 



Ulundi Municipal Manager 
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